Add SSL support for freezer

This commit enable to send the certificate to support secure connections for freezer Implements bp: ssl-support Change-Id: I821ac837508351d9d84897c4c9a6ee651944dd32
2016-02-10 13:38:18 +00:00 · 2016-02-10 13:38:18 +00:00 · ab0157568a
parent 4c8e31255d
commit ab0157568a
12 changed files with 87 additions and 52 deletions
--- a/freezer/apiclient/actions.py
+++ b/freezer/apiclient/actions.py
@ -46,7 +46,9 @@ class ActionManager(object):

    def delete(self, action_id):
        endpoint = self.endpoint + action_id
-        r = requests.delete(endpoint, headers=self.headers, verify=self.verify)
+        r = requests.delete(endpoint,
+                            headers=self.headers,
+                            verify=self.verify)
        if r.status_code != 204:
            raise exceptions.ApiClientException(r)

--- a/freezer/apiclient/backups.py
+++ b/freezer/apiclient/backups.py
@ -43,7 +43,8 @@ class BackupsManager(object):

    def delete(self, backup_id):
        endpoint = self.endpoint + backup_id
-        r = requests.delete(endpoint, headers=self.headers, verify=self.verify)
+        r = requests.delete(endpoint, headers=self.headers,
+                            verify=self.verify)
        if r.status_code != 204:
            raise exceptions.ApiClientException(r)

--- a/freezer/apiclient/client.py
+++ b/freezer/apiclient/client.py
@ -130,7 +130,16 @@ def build_os_options():
                        ' "admin" or "adminURL". Defaults to '
                        'env[OS_ENDPOINT_TYPE] or "public"',
                   dest='os_endpoint_type'),
-
+        cfg.StrOpt('os-cert',
+                   default=env('OS_CERT'),
+                   help='Specify a cert file to use in verifying a TLS '
+                        '(https) server certificate',
+                   dest='os_cert'),
+        cfg.StrOpt('os-cacert',
+                   default=env('OS_CACERT'),
+                   help='Specify a CA bundle file to use in verifying a TLS '
+                        '(https) server certificate. Defaults to',
+                   dest='os_cacert'),
    ]

    return osclient_opts
@ -192,8 +201,9 @@ class Client(object):
                 project_name=None,
                 user_domain_name=None,
                 project_domain_name=None,
-                 verify=True,
-                 cacert=False):
+                 cert=False,
+                 cacert=False,
+                 insecure=False):

        self.opts = opts
        # this creates a namespace for self.opts when the client is
@ -218,18 +228,25 @@ class Client(object):
            self.opts.os_user_domain_name = user_domain_name
        if project_domain_name:
            self.opts.os_project_domain_name = project_domain_name
-
-        # flag to initialize freezer-scheduler with insecure mode
-        self.verify = verify
+        if insecure:
+            self.verify = False
+        elif cacert:
+            # verify arg in keystone sessions could be True/False/Path to cert
+            self.verify = cacert
+        else:
+            self.verify = True
+        if cert:
+            self.opts.os_cert = cert

        self._session = session
        self.version = version

-        self.backups = backups.BackupsManager(self, verify=verify)
-        self.registration = registration.RegistrationManager(self, verify=verify)
-        self.jobs = jobs.JobManager(self, verify=verify)
-        self.actions = actions.ActionManager(self, verify=verify)
-        self.sessions = sessions.SessionManager(self, verify=verify)
+        self.backups = backups.BackupsManager(self, verify=self.verify)
+        self.registration = registration.RegistrationManager(
+                self, verify=self.verify)
+        self.jobs = jobs.JobManager(self, verify=self.verify)
+        self.actions = actions.ActionManager(self, verify=self.verify)
+        self.sessions = sessions.SessionManager(self, verify=self.verify)


    @cached_property
--- a/freezer/apiclient/jobs.py
+++ b/freezer/apiclient/jobs.py
@ -46,7 +46,8 @@ class JobManager(object):

    def delete(self, job_id):
        endpoint = self.endpoint + job_id
-        r = requests.delete(endpoint, headers=self.headers, verify=self.verify)
+        r = requests.delete(endpoint, headers=self.headers,
+                            verify=self.verify)
        if r.status_code != 204:
            raise exceptions.ApiClientException(r)

--- a/freezer/apiclient/sessions.py
+++ b/freezer/apiclient/sessions.py
@ -45,7 +45,8 @@ class SessionManager(object):

    def delete(self, session_id):
        endpoint = self.endpoint + session_id
-        r = requests.delete(endpoint, headers=self.headers, verify=self.verify)
+        r = requests.delete(endpoint, headers=self.headers,
+                            verify=self.verify)
        if r.status_code != 204:
            raise exceptions.ApiClientException(r)

--- a/freezer/osclients.py
+++ b/freezer/osclients.py
@ -104,7 +104,8 @@ class ClientManager:
            region_name=options.region_name,
            insecure=self.insecure,
            endpoint_type=options.endpoint_type or 'publicURL',
-            service_type="volume")
+            service_type="volume",
+            cacert=options.cert)
        return self.cinder

    def create_swift(self):
@ -122,7 +123,8 @@ class ClientManager:
            tenant_name=options.tenant_name,
            os_options=options.os_options,
            auth_version=self.swift_auth_version,
-            insecure=self.insecure, retries=6)
+            insecure=self.insecure, retries=6,
+            cacert=options.cert)

        if self.dry_run:
            self.swift = DryRunSwiftclientConnectionWrapper(self.swift)
@ -149,7 +151,8 @@ class ClientManager:
                        os_auth_url=options.auth_url,
                        os_region_name=options.region_name,
                        endpoint_type=options.endpoint_type,
-                        force_auth=False))
+                        force_auth=False,
+                        cacert=options.cert))

        self.glance = gclient.Client(version="1",
                                     endpoint=endpoint, token=token)
@ -170,7 +173,8 @@ class ClientManager:
            project_id=options.tenant_name,
            auth_url=options.auth_url,
            region_name=options.region_name,
-            insecure=self.insecure)
+            insecure=self.insecure,
+            cacert=options.cert)

        return self.nova

--- a/freezer/scheduler/arguments.py
+++ b/freezer/scheduler/arguments.py
@ -16,17 +16,12 @@ limitations under the License.
 """

 import os
-from oslo_config import cfg
-from oslo_log import log
 import sys

+from oslo_config import cfg
+from oslo_log import log
+
 from freezer import __version__ as FREEZER_VERSION
-
-CONF = cfg.CONF
-_LOG = log.getLogger(__name__)
-
-
-
 from freezer.apiclient import client as api_client
 from freezer import winutils

@ -36,6 +31,10 @@ else:
    DEFAULT_FREEZER_SCHEDULER_CONF_D = '/etc/freezer/scheduler/conf.d'


+CONF = cfg.CONF
+_LOG = log.getLogger(__name__)
+
+
 def getCommonOpts():
    scheduler_conf_d = os.environ.get('FREEZER_SCHEDULER_CONF_D',
                                      DEFAULT_FREEZER_SCHEDULER_CONF_D)
@ -64,15 +63,15 @@ def getCommonOpts():
                    '\n If not specified it will be automatically created \n'
                    'using the tenant-id and the machine hostname.'),
    cfg.BoolOpt('no-api',
-               default=False,
-               dest='no_api',
-               short='n',
-               help='Prevents the scheduler from using the api service'),
+                default=False,
+                dest='no_api',
+                short='n',
+                help='Prevents the scheduler from using the api service'),
    cfg.BoolOpt('active-only',
-               default=False,
-               dest='active_only',
-               short='a',
-               help='Filter only active jobs/session'),
+                default=False,
+                dest='active_only',
+                short='a',
+                help='Filter only active jobs/session'),
    cfg.StrOpt('conf',
               default=scheduler_conf_d,
               dest='jobs_dir',
@ -87,13 +86,14 @@ def getCommonOpts():
               help='Specifies the api-polling interval in seconds. '
                    'Defaults to 60 seconds'),
    cfg.BoolOpt('no-daemon',
-               default=False,
-               dest='no_daemon',
-               help='Prevents the scheduler from running in daemon mode'),
+                default=False,
+                dest='no_daemon',
+                help='Prevents the scheduler from running in daemon mode'),
    cfg.BoolOpt('insecure',
-               default=False,
-               dest='insecure',
-               help='Initialize freezer scheduler with insecure mode'),
+                default=False,
+                short='K',
+                dest='insecure',
+                help='Initialize freezer scheduler with insecure mode'),
    ]

    return common_opts
--- a/freezer/scheduler/freezer_scheduler.py
+++ b/freezer/scheduler/freezer_scheduler.py
@ -190,13 +190,13 @@ def main():
        return 65  # os.EX_DATAERR

    apiclient = None
-    verify = True
+    insecure = False
    if CONF.insecure:
-        verify = False
+        insecure = True

    if CONF.no_api is False:
        try:
-            apiclient = client.Client(opts=CONF, verify=verify)
+            apiclient = client.Client(opts=CONF, insecure=insecure)
            if CONF.client_id:
                apiclient.client_id = CONF.client_id
        except Exception as e:
--- a/freezer/scheduler/win_service.py
+++ b/freezer/scheduler/win_service.py
@ -32,7 +32,7 @@ class PySvc(win32serviceutil.ServiceFramework):
        # create an event to listen for stop requests on
        self.hWaitStop = win32event.CreateEvent(None, 0, 0, None)
        self.home = r'C:\.freezer'
-        self.verify = True
+        self.insecure = False

    def SvcDoRun(self):
        """Run the windows service and start the scheduler in the background
@ -68,7 +68,7 @@ class PySvc(win32serviceutil.ServiceFramework):
        set_environment(self.home)

        if os.environ.get('SERVICE_INSECURE'):
-            self.verify = False
+            self.insecure = True

        # Add support for keystone v2 and v3
        credentials = {}
@ -80,7 +80,7 @@ class PySvc(win32serviceutil.ServiceFramework):
                'auth_url': os.environ['OS_AUTH_URL'],
                'endpoint': os.environ['OS_BACKUP_URL'],
                'tenant_name': os.environ['OS_TENANT_NAME'],
-                'verify': self.verify
+                'insecure': self.insecure
            }
        elif os.environ['OS_IDENTITY_API_VERSION'] == 3:
            credentials = {
@ -92,7 +92,7 @@ class PySvc(win32serviceutil.ServiceFramework):
                'project_name': os.environ['OS_PROJECT_NAME'],
                'user_domain_name': os.environ['OS_USER_DOMAIN_NAME'],
                'project_domain_name': os.environ['OS_PROJECT_DOMAIN_NAME'],
-                'verify': self.verify
+                'insecure': self.insecure
            }

        client = freezer.apiclient.client.Client(**credentials)
--- a/freezer/utils.py
+++ b/freezer/utils.py
@ -39,7 +39,8 @@ class OpenstackOptions:
    """
    def __init__(self, user_name, tenant_name, project_name, auth_url,
                 password, identity_api_version, tenant_id=None,
-                 region_name=None, endpoint_type=None):
+                 region_name=None, endpoint_type=None, cert=None,
+                 insecure=False, verify=True):
        self.user_name = user_name
        self.tenant_name = tenant_name
        self.auth_url = auth_url
@ -49,6 +50,9 @@ class OpenstackOptions:
        self.identity_api_version = identity_api_version
        self.region_name = region_name
        self.endpoint_type = endpoint_type
+        self.cert = cert
+        self.insecure = insecure
+        self.verify = verify
        if not (self.password and self.user_name and self.auth_url and
           (self.tenant_name or self.project_name)):
            raise Exception("Please set up in your env:"
@ -85,7 +89,8 @@ class OpenstackOptions:
            password=src_dict.get('OS_PASSWORD', None),
            tenant_id=src_dict.get('OS_TENANT_ID', None),
            region_name=src_dict.get('OS_REGION_NAME', None),
-            endpoint_type=src_dict.get('OS_ENDPOINT_TYPE', None)
+            endpoint_type=src_dict.get('OS_ENDPOINT_TYPE', None),
+            cert=src_dict.get('OS_CERT', None)
        )


--- a/tests/unit/test_apiclient_client.py
+++ b/tests/unit/test_apiclient_client.py
@ -130,6 +130,8 @@ class TestClientMock(unittest.TestCase):
                  'session': 'foxtrot',
                  'endpoint': 'golf',
                  'version': 'hotel',
+                  'cert': 'india',
+                  'insecure': 'juliet',
                  'opts': Mock()}
        c = client.Client(**kwargs)
        self.assertIsInstance(c, client.Client)
--- a/tests/unit/test_osclients.py
+++ b/tests/unit/test_osclients.py
@ -24,7 +24,8 @@ class TestOsClients(unittest.TestCase):

    fake_options = utils.OpenstackOptions(
        user_name="user", tenant_name="tenant", project_name="project",
-        auth_url="url", password="password", identity_api_version="3")
+        auth_url="url", password="password", identity_api_version="3",
+        insecure=False, cert='cert', verify=True)

    def test_init(self):
        osclients.ClientManager(self.fake_options, None, None, None)
@ -45,7 +46,8 @@ class TestOsClients(unittest.TestCase):
        options = utils.OpenstackOptions(
            user_name="user", tenant_name="tenant", project_name="project",
            auth_url="url", password="password", identity_api_version="3",
-            endpoint_type="adminURL")
+            endpoint_type="adminURL", insecure=False, cert='cert',
+            verify=True)
        client = osclients.ClientManager(options, None, None, None)
        client.create_swift()